Make ssh client password login configurable.

Defaults to not allow which might be a bit restrictive.

roles/ansible-ssh-hardening/defaults/main.yml

@@ -17,6 +17,9 @@ ssh_server_weak_hmac: false             # sshd
 ssh_client_weak_kex: false              # ssh
 ssh_server_weak_kex: false              # sshd
 
+# If true, password login is allowed. For sshd, it is always set to no password login.
+ssh_client_password_login: false          # ssh
+
 # ports to which ssh-server should listen to and ssh-client should connect to
 ssh_ports: ['22']      # sshd + ssh
 

roles/ansible-ssh-hardening/templates/openssh.conf.j2

@@ -125,7 +125,7 @@ RhostsRSAAuthentication no
 RSAAuthentication yes
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-PasswordAuthentication no
+PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
 
 # Only use GSSAPIAuthentication if implemented on the network.
 GSSAPIAuthentication no